Guess who just released #LibAFL 0.15.3?
That's right, you all did! (thank youβΊοΈ)
Highlights:
You can now replace libfuzzer with #LibAFL on Windows, thanks to @novafacing
Fuzzing 101 with LibAFL
Introductory guide on fuzzing using LibAFL, covering setup, techniques, and examples to discover software vulnerabilities.
https://epi052.gitlab.io/notes-to-self/blog/2021-11-01-fuzzing-101-with-libafl/
π¨ LibAFL 0.15.2 π¨
And so much more:
This is so cool: The LibAFL_QEMU ASan implementation was ported to rust
https://github.com/AFLplusplus/LibAFL/pull/3023
We've just released #LibAFL 0.15.0 - A big step toward 1.0 stable!
Featuring
Slides for my @ekoparty talk "Advanced Fuzzing
With #LibAFL"
Late last year we released #LibAFL 0.11.2
Highlights:
Full changelog:
https://github.com/AFLplusplus/LibAFL/releases/tag/0.11.2
The recording of our #37c3 talk "Fuzz Everything, Everywhere, All at Once - Advanced QEMU-based fuzzing" can be found here
https://media.ccc.de/v/37c3-12102-fuzz_everything_everywhere_all_at_once
We released #LibAFL 0.11 (and 0.11.1 with a doc fix).
Highlights:
https://github.com/AFLplusplus/LibAFL/releases/tag/0.11.0
Have fun #fuzzing
Fuzz your cargo-fuzz harness with LibAFL!
I'm happy to share the fuzz runtime described in our recent FUZZING'23 report, CrabSandwich, which expands on libafl_libfuzzer to allow for Rust support. This allows Rust developers to switch away from the now-in-stasis libFuzzer to a LibAFL-based runtime which supports most common features of libFuzzer seamlessly.
Want to try it out for yourself? Simply edit your existing cargo-fuzz harnesses' Cargo.toml to change the libfuzzer-sys dependency as shown here: https://github.com/rust-fuzz/cargo-fuzz/issues/330#issuecomment-1592911175
In most cases, the entire edit is a single-line change (!). At this time, we only support Linux, but are looking for contributions to expand to Windows and macOS as well.
Happy hunting! #fuzzing #rust #libafl #AFLplusplus
With lots of community help, we're proud to release #LibAFL 0.10!
β AFL++'s Redqueen
β CASR integration for crash analysis
β Low-overhead timeout handling
β EcoFuzz
β Full AFL++ forkserver support
β WASM fuzzing example
and much more. Get your copy at https://github.com/AFLplusplus/LibAFL/releases/tag/0.10.0
In case you missed it, this is a very cool series about fuzzing and LibAFL by @epi
Fuzzing Xpdf: https://epi052.gitlab.io/notes-to-self/blog/2021-11-01-fuzzing-101-with-libafl/
Speed Improvements: https://epi052.gitlab.io/notes-to-self/blog/2021-11-07-fuzzing-101-with-libafl-part-1.5/
Fuzzing libexif: https://epi052.gitlab.io/notes-to-self/blog/2021-11-07-fuzzing-101-with-libafl-part-2/
Fuzzing tcpdump: https://epi052.gitlab.io/notes-to-self/blog/2021-11-20-fuzzing-101-with-libafl-part-3/
Fuzzing LibTIFF: https://epi052.gitlab.io/notes-to-self/blog/2021-11-26-fuzzing-101-with-libafl-part-4/
Fuzzing LibXML2: https://epi052.gitlab.io/notes-to-self/blog/2022-01-17-fuzzing-101-with-libafl-part-5/
LibAFL 0.9.0 is out with a new logoπ₯
Highlights:
β QEMU user-mode and system-mode snapshot fuzzing
β Stable CorpusId when removing/updating entries in Corpus
β Tinyinst binary-only instrumentation
β Full support to AFL++ binaries with forkserver
...
Just found out #LibAFL launcher can print output of child processes if you set the LIBAFL_DEBUG_OUTPUT=1 env variable.
I knew this some time in the past, but forgot..
Cool series about fuzzing and LibAFL (credits @epi)
1: https://epi052.gitlab.io/notes-to-self/blog/2021-11-01-fuzzing-101-with-libafl/
1.5: https://epi052.gitlab.io/notes-to-self/blog/2021-11-07-fuzzing-101-with-libafl-part-1.5/
2: https://epi052.gitlab.io/notes-to-self/blog/2021-11-07-fuzzing-101-with-libafl-part-2/
3: https://epi052.gitlab.io/notes-to-self/blog/2021-11-20-fuzzing-101-with-libafl-part-3/
4: https://epi052.gitlab.io/notes-to-self/blog/2021-11-26-fuzzing-101-with-libafl-part-4/
5: https://epi052.gitlab.io/notes-to-self/blog/2022-01-17-fuzzing-101-with-libafl-part-5/
WRT #libfuzzer deprecation: the official alternative uses out-of-process fuzzing, which means the fuzzer doesn't run in the same process as the target.
This is what the original #AFL fuzzer does, as well.
It turns out that this doesn't scale well, thanks to IPC overhead and context switches for _every single _ testcase (of which you can reach millions per second of).*
We spent years creating good in-process fuzzing with #LibAFL, trying to match the success of libfuzzer, and it's sad to see the OG in-process fuzzer get depreciated in favour of an (IMHO) technically inferior alternative.
This may be a good engineering choice if you don't care about CPU cost and have an almost infinite amount of CPUs to spare.
The amount of companies worldwide that has a virtually infinite amount of CPU cores to spare for #fuzzing is low.
There are multiple ways to bring fuzzing to the masses, but this is not the one I would pick.
*the one reason where out-of-process fuzzing is favorable is for crashing targets. Instead of slowly restoring your state, you can simply respawn the target. However, most fuzzing campaigns are over when crashes are found.
